[OpenAFS] Active Directory Kerberos ticket allowing to access OpenAFS cell?

stasheck stasheck.fora@gmail.com
Wed, 2 Nov 2011 17:17:20 +0100

I'm still trying to solve some issues regarding proper integration of
ActiveDirectory into our IT environment. One thing I learned, it's
impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign
from MIT Kerberos, so I need some workarounds.

First, I'm going to block password change from Windows boxes and force
everyone to change their password on MIT Kerboros - because I can sync
that to AD.

Second problem/idea is to create SingleSignOn to OpenAFS just by
logging into Windows account.

I've seen bits of pieces that would suggest that it's possible, but I
still can't wrap my head around it.

What I know, what I need:
- all users have account both in Active Directory domain, and in MIT
Kerberos (another domain) (check)
- I can form mutual trust relationship between MIT and AD (did that to
test some previous ideas)
- a user logs into AD domain, and gets AD Kerberos ticket (but I don't
know if there's any way to use this ticket to other services?)

Is there any way to use AD ticket to get into MIT-based AFS?


PS. I just stumbled on a very interesting article:
https://twiki.cern.ch/twiki/bin/view/AFSService/UnifiedKerberos but I
cannot read any links - I don't have a CERN account. I believe that
some people here work at CERN, would somebody be so kind and share the
documents linked from this one? Many thanks.